One insurer says it's seen the number of cyber insurance claims for ransomware increase in recent months.

From July to September, security researchers counted at least 39 new types or variants of ransomware. (Source: Malwarebytes)

"In September, our insureds were hit particularly hard, with notifications to Beazley of ransomware attacks more than doubling relative to August," Beazley Breach Response Services, which is part of London-based insurance business Beazley, says in a blog posted on Thursday. "It is unclear if this spike will continue, as up until September the overall number of ransomware incidents in 2018 have been holding steady with 2017 numbers."

Barriers to entry for would-be ransomware users remain low, enabling attackers with scant technological ability or knowledge to make use of ransomware as a cybercrime revenue stream (see: Why Cybercrime Remains Impossible to Eradicate).

Ransomware called Kraken Cryptor, for example, gets distributed as part of an affiliate arrangement that allows "partners" to sign up for $50, receive customized versions of the ransomware with their preset ransom amount that they distribute. In return, they agree to automatically remit 20 percent of every ransom paid to Kraken's development team. Information security firms say such ransomware tends to be distributed via spam or phishing attacks (see: Crypto-Locking Kraken Ransomware Looms Larger).

Advanced Attackers: SamSam

Consumer/business ransomware detections from January 2018 to September 2018. Note: Vertical axes have different units of measurements. (Source: Malwarebytes)

Security firm Symantec says that as of last week, it counted 67 attacks that infected global organizations with SamSam ransomware. Strains of the ransomware have been linked to the March attack against the city of Atlanta. The city declined to pay the ransom and said incident response and security overhaul costs could hit $17 million.

SamSam was also tied to a February attack against the Colorado Department of Transportation, leading to state officials opting to take more than 2,000 systems offline. The state said it did not pay the ransom, and it budgeted up to $2 million for cleanup costs.

Hardest Hit: Healthcare

SamSam attacks target all sectors, but Symantec says that healthcare was the hardest hit, accounting for one-quarter of all successful attacks. It also notes that 56 of the 67 attacks it saw targeted U.S. firms, with a small number of attacks against targets in Portugal, France, Australia, Ireland and Israel.

Beazley says that based on claims made by cyber insurance policyholders, healthcare remains the sector hardest hit by ransomware, accounting for about one-third of all claims. "In the first nine months of 2018, 71 percent of ransomware incidents handled by BBR Services impacted small and medium-sized businesses," Beazley says.

Ransom Demands: Bitcoin, Please

Ransomware response firm Coveware, based in Westport, Connecticut, says that 98 percent of the ransomware attacks to which it responded in the third quarter involved ransom demands payable in bitcoin. A small number demanded payment in dash or other cryptocurrencies with additional privacy features.

Coveware says the average ransom paid by firms that it worked with was about $6,000, although that was sometimes lower than the initial amount that a ransomware gang demanded. The firm declined to say how many firms it had worked on behalf of to resolve ransomware issues. "Because we are a young private company in a competitive industry, we do not publish case volume," CEO Bill Siegel tells Information Security Media Group. "I can tell you that the number is large enough to be more than statistically significant."
In the third quarter of this year, Coveware says the average ransom paid to attackers was $5,974. (Source: Coveware)

Coveware says that from July through September, the most common ransomware attacks that it tracked were Dharma/CrySiS, GandCrab and Global Imposter.

Cryptomining: Still a Threat

Warnings about the ongoing threat posed by ransomware come despite many attackers shifting to malware designed to mine for virtual currency by surreptitiously using an infected PC or server's CPU cycles.

In September, Europol - the EU's law enforcement intelligence agency - warned that while "cryptomining malware is expected to become a regular, low-risk revenue stream for cybercriminals," ransomware continues to remain "the key malware threat" being seen by both law enforcement agencies and information security firms (see: Cybercrime: 15 Top Threats and Trends).

"Broadly speaking, we've seen ransomware as one of the dominant forms of attack throughout the last year, though it's starting to slow down a little and lose something in terms of innovative attacks," Christopher Boyd, lead malware intelligence analyst at security firm Malwarebytes, told ISMG in September.

RDP: Often Brute-Forced

But security experts say some operators, including the gang behind SamSam, are more advanced. "The SamSam group's modus operandi is to gain access to an organization's network and spend time performing reconnaissance by mapping out the network before encrypting as many computers as possible and presenting the organization with a single ransom demand," Symantec's Security Response Attack Investigation Team says in a blog post.

Incident response firms say groups such as SamSam often access targeted networks by either brute-forcing their way into systems that have remote desktop protocol enabled or purchasing RDP credentials that have been stolen or hacked by others.

In the right hands, RDP is a legitimate tool. But when attackers gain access to it, RDP provides easy, remote and often persistent access to an organization's network.

"In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company," the FBI's Internet Complaint Center, IC3, says in an RDP alert published in September. "The ransomware was able to encrypt thousands of machines before detection."

"Remote administration tools ... as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP access," IC3's September alert states. "Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the internet to compromise identities, steal login credentials and ransom other sensitive information."

Coveware says that while it does not perform the digital forensics part of a ransomware incident response, more than 90 percent of the attacks that it saw from July to September appeared to involve attackers gaining access to an organization's network via RDP.

Given the danger of RDP attacks and difficulty of spotting them, the FBI says organizations should consider disabling the protocol if it's not required. Otherwise, it says organizations should avoid using weak passwords and outdated versions of RDP, not allow unrestricted access to RDP ports - TCP 3389 is the default - as well as block unlimited access attempts.

More Legitimate Tools: Suborned

After gaining access to a network, an attack group may use legitimate administrator tools to disguise their reconnaissance and infection activities.

Symantec says that in a February SamSam attack it investigated, attackers gained access to an organization's network, used PsInfo - a legitimate Microsoft tool - to study the network and ran the freely available hacking tool Mimikatz to steal passwords from some systems. Two days later, attackers returned and installed two versions of SamSam - likely one was a backup, in case the other got detected - and one hour later, it was pushed out to about 250 other systems using another legitimate Microsoft tool called PsExec. About five hours later, all of the affected systems had been cryptolocked.

These tactics have been previously seen in attacks attributed to nation-states, Symantec says. For example, the NotPetya malware outbreak that began in June 2017 and was attributed to Russia, had the ability to spread via PsExec as well as to use Mimikatz to steal passwords (see: Maersk Previews NotPetya Impact: Up to $300 Million).

Backups: Keep Them Disconnected

Besides keeping their anti-virus systems updated, security experts say it's essential for all firms to also maintain up-to-date, disconnected backups. Doing so can help them to rapidly wipe and restore any systems that suffer a crypto-locking malware infection.

But information security experts warn that paying attackers directly funds further ransomware attacks, may lead attackers to launch further attacks against the organization and is no guarantee that the victim will either receive a decryption key - or that it will work (see: Please Don't Pay Ransoms, FBI Urges).

Cybersecurity services firm Kivu in May warned that it had seen an increase in poorly coded ransomware that left at least some crypto-locked data unrecoverable. In particular, it reported seeing problems with such strains as Rapid, Triple M, Sigma, Thanatos, Mamba and BitPaymer.

In the case of Rapid, for example, the encryption process used by the ransomware left simpler file types recoverable, but irrevocably damaged more complex types of files. "The initial encryption process permanently corrupts SQL databases, email folders and virtual drives. These will remain partially or completely corrupted even after the attackers' decryption tools are run," Kivu reported. "At a minimum, even if you pay a ransom - typically 1 bitcoin - you're looking at extensive restoration of the corrupted files, which can take weeks."

Infection: May Mask Bigger Problems

Organizations hit by ransomware may also only be seeing the final stages of a more long-running attack. Before systems get crypto-locked, attackers may have already ransacked an organization's systems for monetizable information.

"We have seen cases where the RDP endpoint has been compromised by a different threat actor and access to the compromised site maintained for a period of weeks before being used for a ransomware attack," incident response expert David Stubley, CEO of cybersecurity testing and consultancy firm 7 Elements in Edinburgh, Scotland, has told ISMG. "Presumably they sold access once finished with whatever they wanted from the compromised server or environment."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.